From 7354d23eed1c9cb58b729a7688fdc024717492c5 Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Mon, 15 Jul 2024 18:25:28 +1000 Subject: [PATCH 01/19] Start to refactor the database module into separate files --- .../infra/db.bicep | 117 ------------------ .../infra/db/cosmos-mongodb.bicep | 17 +++ .../infra/db/cosmos-postgres.bicep | 29 +++++ .../infra/db/postgres-addon.bicep | 21 ++++ .../infra/db/postgres-flexible.bicep | 37 ++++++ .../infra/main.bicep | 71 ++++++++--- 6 files changed, 160 insertions(+), 132 deletions(-) delete mode 100644 {{cookiecutter.__src_folder_name}}/infra/db.bicep create mode 100644 {{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep create mode 100644 {{cookiecutter.__src_folder_name}}/infra/db/cosmos-postgres.bicep create mode 100644 {{cookiecutter.__src_folder_name}}/infra/db/postgres-addon.bicep create mode 100644 {{cookiecutter.__src_folder_name}}/infra/db/postgres-flexible.bicep diff --git a/{{cookiecutter.__src_folder_name}}/infra/db.bicep b/{{cookiecutter.__src_folder_name}}/infra/db.bicep deleted file mode 100644 index 935e12a..0000000 --- a/{{cookiecutter.__src_folder_name}}/infra/db.bicep +++ /dev/null @@ -1,117 +0,0 @@ -{% if "postgres" in cookiecutter.db_resource %} -{% set pg_version = 15 %} -{% endif %} - -param name string -param location string = resourceGroup().location -param tags object = {} -param prefix string -{# Define the dbserverUser. in cosmos-postgres it is 'citus' and in postgres aca add-on it is predefined #} -{% if cookiecutter.db_resource == "cosmos-postgres" %} -// value is read-only in cosmos -var dbserverUser = 'citus' -{% elif cookiecutter.db_resource == "postgres-flexible" %} -var dbserverUser = 'admin${uniqueString(resourceGroup().id)}' -{% endif %} -{# Create the dbserverPassword this is only required for postgres instances #} -{% if cookiecutter.db_resource in ("postgres-flexible", "cosmos-postgres") %} -@secure() -param dbserverPassword string -{% endif %} -{% if cookiecutter.db_resource != "postgres-addon" %} -param dbserverDatabaseName string -{% endif %} -{% if "mongodb" in cookiecutter.db_resource %} -param keyVaultName string -{% endif %} -{% if cookiecutter.db_resource == "postgres-addon" %} -param containerAppsEnvironmentName string -{% endif %} - -{# Postgres ACA Add-on #} -{% if cookiecutter.db_resource == "postgres-addon" %} - -resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2022-03-01' existing = { - name: containerAppsEnvironmentName -} - -module dbserver 'core/database/postgresql/aca-service.bicep' = { - name: name - params: { - name: '${take(prefix, 29)}-pg' // max 32 characters - location: location - tags: tags - containerAppsEnvironmentId: containerAppsEnvironment.id - } -} -{% endif %} -{# Postgres Flexible Server #} -{% if cookiecutter.db_resource == "postgres-flexible" %} -module dbserver 'core/database/postgresql/flexibleserver.bicep' = { - name: name - params: { - name: '${prefix}-postgresql' - location: location - tags: tags - sku: { - name: 'Standard_B1ms' - tier: 'Burstable' - } - storage: { - storageSizeGB: 32 - } - version: '{{pg_version}}' - administratorLogin: dbserverUser - administratorLoginPassword: dbserverPassword - databaseNames: [dbserverDatabaseName] - allowAzureIPsFirewall: true - } -} -{% endif %} -{# Cosmos PostgreSQL#} -{% if cookiecutter.db_resource == "cosmos-postgres" %} -module dbserver 'core/database/cosmos/cosmos-pg-adapter.bicep' = { - name: name - params: { - name: '${prefix}-postgresql' - location: location - tags: tags - postgresqlVersion: '{{pg_version}}' - administratorLogin: dbserverUser - administratorLoginPassword: dbserverPassword - databaseName: dbserverDatabaseName - allowAzureIPsFirewall: true - coordinatorServerEdition: 'BurstableMemoryOptimized' - coordinatorStorageQuotainMb: 131072 - coordinatorVCores: 1 - nodeCount: 0 - nodeVCores: 4 - } -} -{% endif %} -{# Cosmos MongoDB#} -{% if cookiecutter.db_resource == "cosmos-mongodb" %} -module dbserver 'core/database/cosmos/mongo/cosmos-mongo-db.bicep' = { - name: name - params: { - accountName: '${take(prefix, 36)}-mongodb' // Max 44 characters - location: location - databaseName: dbserverDatabaseName - tags: tags - keyVaultName: keyVaultName - } -} -{% endif %} - -{% if cookiecutter.db_resource != "postgres-addon" %} -output dbserverDatabaseName string = dbserverDatabaseName -{% if "postgres" in cookiecutter.db_resource %} -output dbserverUser string = dbserverUser -{% endif %} -{% endif %} -{% if cookiecutter.db_resource == "postgres-addon" %} -output dbserverID string = dbserver.outputs.id -{% endif %} -{% if cookiecutter.db_resource in ("postgres-flexible", "cosmos-postgres") %} -output dbserverDomainName string = dbserver.outputs.domainName -{% endif %} diff --git a/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep b/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep new file mode 100644 index 0000000..22db3e6 --- /dev/null +++ b/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep @@ -0,0 +1,17 @@ +param name string +param location string = resourceGroup().location +param tags object = {} +param prefix string +param keyVaultName string +param dbserverDatabaseName string + +module dbserver '../core/database/cosmos/mongo/cosmos-mongo-db.bicep' = { + name: name + params: { + accountName: '${take(prefix, 36)}-mongodb' // Max 44 characters + location: location + databaseName: dbserverDatabaseName + tags: tags + keyVaultName: keyVaultName + } +} diff --git a/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-postgres.bicep b/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-postgres.bicep new file mode 100644 index 0000000..c7b6b58 --- /dev/null +++ b/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-postgres.bicep @@ -0,0 +1,29 @@ +// {% set pg_version = 15 %} + +param name string +param location string = resourceGroup().location +param tags object = {} +param prefix string +param dbserverDatabaseName string +var dbserverUser = 'citus' +@secure() +param dbserverPassword string + +module dbserver '../core/database/cosmos/cosmos-pg-adapter.bicep' = { + name: name + params: { + name: '${prefix}-postgresql' + location: location + tags: tags + postgresqlVersion: '{{pg_version}}' + administratorLogin: dbserverUser + administratorLoginPassword: dbserverPassword + databaseName: dbserverDatabaseName + allowAzureIPsFirewall: true + coordinatorServerEdition: 'BurstableMemoryOptimized' + coordinatorStorageQuotainMb: 131072 + coordinatorVCores: 1 + nodeCount: 0 + nodeVCores: 4 + } +} diff --git a/{{cookiecutter.__src_folder_name}}/infra/db/postgres-addon.bicep b/{{cookiecutter.__src_folder_name}}/infra/db/postgres-addon.bicep new file mode 100644 index 0000000..b03846d --- /dev/null +++ b/{{cookiecutter.__src_folder_name}}/infra/db/postgres-addon.bicep @@ -0,0 +1,21 @@ +param containerAppsEnvironmentName string +param name string +param location string = resourceGroup().location +param tags object = {} +param prefix string + +resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2022-03-01' existing = { + name: containerAppsEnvironmentName +} + +module dbserver '../core/database/postgresql/aca-service.bicep' = { + name: name + params: { + name: '${take(prefix, 29)}-pg' // max 32 characters + location: location + tags: tags + containerAppsEnvironmentId: containerAppsEnvironment.id + } +} + +output id string = dbserver.outputs.id diff --git a/{{cookiecutter.__src_folder_name}}/infra/db/postgres-flexible.bicep b/{{cookiecutter.__src_folder_name}}/infra/db/postgres-flexible.bicep new file mode 100644 index 0000000..50fb8a6 --- /dev/null +++ b/{{cookiecutter.__src_folder_name}}/infra/db/postgres-flexible.bicep @@ -0,0 +1,37 @@ +param name string +param location string = resourceGroup().location +param tags object = {} +param prefix string + +// value is read-only in cosmos +var dbserverUser = 'admin${uniqueString(resourceGroup().id)}' +@secure() +param dbserverPassword string = '' +param dbserverDatabaseName string = '' + +module dbserver '../core/database/postgresql/flexibleserver.bicep' = { + name: name + params: { + name: '${prefix}-postgresql' + location: location + tags: tags + sku: { + name: 'Standard_B1ms' + tier: 'Burstable' + } + storage: { + storageSizeGB: 32 + } + version: '{{pg_version}}' + administratorLogin: dbserverUser + administratorLoginPassword: dbserverPassword + databaseNames: [dbserverDatabaseName] + allowAzureIPsFirewall: true + } +} + +output dbserverDatabaseName string = dbserverDatabaseName +output dbserverUser string = dbserverUser + +// "postgres-flexible", "cosmos-postgres" +output dbserverDomainName string = dbserver.outputs.domainName diff --git a/{{cookiecutter.__src_folder_name}}/infra/main.bicep b/{{cookiecutter.__src_folder_name}}/infra/main.bicep index fd60fcc..495807d 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/main.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/main.bicep @@ -173,26 +173,56 @@ module roleAssignment 'core/security/role.bicep' = { } } -module db 'db.bicep' = { - name: 'db' +var DATABASE_RESOURCE = '{{cookiecutter.db_resource}}' + +module cosmosMongoDb 'db/cosmos-mongodb.bicep' = if(DATABASE_RESOURCE == 'cosmos-mongodb') { + name: 'cosmosMongoDb' scope: resourceGroup params: { name: 'dbserver' location: location tags: tags prefix: prefix - {% if "mongodb" in cookiecutter.db_resource %} keyVaultName: keyVault.outputs.name - {% endif %} - {% if cookiecutter.db_resource != "postgres-addon" %} dbserverDatabaseName: 'relecloud' - {% endif %} - {% if cookiecutter.db_resource in ("postgres-flexible", "cosmos-postgres")%} + } +} + +module cosmosPostgres 'db/cosmos-postgres.bicep' = if(DATABASE_RESOURCE == 'cosmos-postgres') { + name: 'cosmosPostgres' + scope: resourceGroup + params: { + name: 'dbserver' + location: location + tags: tags + prefix: prefix + dbserverDatabaseName: 'relecloud' dbserverPassword: dbserverPassword - {% endif %} - {% if cookiecutter.db_resource == "postgres-addon" %} + } +} + +module postgresAddon 'db/postgres-addon.bicep' = if(DATABASE_RESOURCE == 'postgres-addon') { + name: 'postgresAddon' + scope: resourceGroup + params: { + name: 'dbserver' + location: location + tags: tags + prefix: prefix containerAppsEnvironmentName: containerApps.outputs.environmentName - {% endif %} + } +} + +module postgresFlexible 'db/postgres-flexible.bicep' = if(DATABASE_RESOURCE == 'postgres-flexible') { + name: 'postgresFlexible' + scope: resourceGroup + params: { + name: 'dbserver' + location: location + tags: tags + prefix: prefix + dbserverDatabaseName: 'relecloud' + dbserverPassword: dbserverPassword } } @@ -252,16 +282,27 @@ module web 'web.bicep' = { containerRegistryName: containerApps.outputs.registryName exists: webAppExists {% endif %} - {% if cookiecutter.db_resource in ("postgres-flexible", "cosmos-postgres") %} - dbserverDomainName: db.outputs.dbserverDomainName - dbserverUser: db.outputs.dbserverUser - dbserverDatabaseName: db.outputs.dbserverDatabaseName + + {% if cookiecutter.db_resource == "postgres-flexible" %} + dbserverDomainName: postgresFlexible.outputs.dbserverDomainName + dbserverUser: postgresFlexible.outputs.dbserverUser + dbserverDatabaseName: postgresFlexible.outputs.dbserverDatabaseName + {% endif %} + + {% if cookiecutter.db_resource == "cosmos-postgres" %} + dbserverDomainName: cosmosPostgres.outputs.dbserverDomainName + dbserverUser: cosmosPostgres.outputs.dbserverUser + dbserverDatabaseName: cosmosPostgres.outputs.dbserverDatabaseName + {% endif %} + {% if cookiecutter.project_host == "aca" %} dbserverPassword: dbserverPassword {% endif %} + {% endif %} + {% if cookiecutter.db_resource == "postgres-addon" %} - postgresServiceId: db.outputs.dbserverID + postgresServiceId: postgresAddon.outputs.id {% endif %} } } From 2ea6e9765e6980ce3bf12abc139991f57c2a158d Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Mon, 15 Jul 2024 18:31:58 +1000 Subject: [PATCH 02/19] Remove trailing endif --- {{cookiecutter.__src_folder_name}}/infra/main.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/{{cookiecutter.__src_folder_name}}/infra/main.bicep b/{{cookiecutter.__src_folder_name}}/infra/main.bicep index 495807d..011ec69 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/main.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/main.bicep @@ -271,11 +271,13 @@ module web 'web.bicep' = { tags: tags applicationInsightsName: monitoring.outputs.applicationInsightsName keyVaultName: keyVault.outputs.name + {% if cookiecutter.project_host == "appservice" %} appCommandLine: 'entrypoint.sh' pythonVersion: '{{cookiecutter.python_version}}' virtualNetworkSubnetId: virtualNetwork.outputs.subnetResourceIds[1] {% endif %} + {% if cookiecutter.project_host == "aca" %} identityName: '${prefix}-id-web' containerAppsEnvironmentName: containerApps.outputs.environmentName @@ -299,8 +301,6 @@ module web 'web.bicep' = { dbserverPassword: dbserverPassword {% endif %} - {% endif %} - {% if cookiecutter.db_resource == "postgres-addon" %} postgresServiceId: postgresAddon.outputs.id {% endif %} From d45101eb7f21e5870e689a95db8048092167620c Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Mon, 15 Jul 2024 18:40:39 +1000 Subject: [PATCH 03/19] Add missing variable assignment --- .../infra/db/postgres-flexible.bicep | 2 ++ 1 file changed, 2 insertions(+) diff --git a/{{cookiecutter.__src_folder_name}}/infra/db/postgres-flexible.bicep b/{{cookiecutter.__src_folder_name}}/infra/db/postgres-flexible.bicep index 50fb8a6..83f5e8a 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/db/postgres-flexible.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/db/postgres-flexible.bicep @@ -1,3 +1,5 @@ +// {% set pg_version = 15 %} + param name string param location string = resourceGroup().location param tags object = {} From 84f6be48080b5fb2eeb78ff4584abf889057a347 Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Mon, 15 Jul 2024 18:43:28 +1000 Subject: [PATCH 04/19] Add missing outputs. --- .../infra/db/cosmos-postgres.bicep | 4 ++++ .../infra/db/postgres-flexible.bicep | 2 -- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-postgres.bicep b/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-postgres.bicep index c7b6b58..c8d6475 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-postgres.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-postgres.bicep @@ -27,3 +27,7 @@ module dbserver '../core/database/cosmos/cosmos-pg-adapter.bicep' = { nodeVCores: 4 } } + +output dbserverDatabaseName string = dbserverDatabaseName +output dbserverUser string = dbserverUser +output dbserverDomainName string = dbserver.outputs.domainName diff --git a/{{cookiecutter.__src_folder_name}}/infra/db/postgres-flexible.bicep b/{{cookiecutter.__src_folder_name}}/infra/db/postgres-flexible.bicep index 83f5e8a..6492b9e 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/db/postgres-flexible.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/db/postgres-flexible.bicep @@ -34,6 +34,4 @@ module dbserver '../core/database/postgresql/flexibleserver.bicep' = { output dbserverDatabaseName string = dbserverDatabaseName output dbserverUser string = dbserverUser - -// "postgres-flexible", "cosmos-postgres" output dbserverDomainName string = dbserver.outputs.domainName From 257818cd3441a85c270f33eb1b34df8d36d221b8 Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Mon, 15 Jul 2024 19:42:38 +1000 Subject: [PATCH 05/19] Refactor out all AZD related database code. --- .../core/database/cosmos/cosmos-account.bicep | 51 ------------- .../database/cosmos/cosmos-pg-adapter.bicep | 62 ---------------- .../cosmos/mongo/cosmos-mongo-account.bicep | 23 ------ .../cosmos/mongo/cosmos-mongo-db.bicep | 47 ------------ .../cosmos/sql/cosmos-sql-account.bicep | 22 ------ .../database/cosmos/sql/cosmos-sql-db.bicep | 74 ------------------- .../cosmos/sql/cosmos-sql-role-assign.bicep | 19 ----- .../cosmos/sql/cosmos-sql-role-def.bicep | 30 -------- .../database/postgresql/aca-service.bicep | 49 ------------ .../database/postgresql/flexibleserver.bicep | 64 ---------------- .../infra/db/cosmos-mongodb.bicep | 29 ++++++-- .../infra/db/cosmos-postgres.bicep | 36 ++++++--- .../infra/db/postgres-addon.bicep | 20 +++-- .../infra/db/postgres-flexible.bicep | 25 ++++--- .../infra/main.bicep | 4 +- 15 files changed, 78 insertions(+), 477 deletions(-) delete mode 100644 {{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/cosmos-account.bicep delete mode 100644 {{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/cosmos-pg-adapter.bicep delete mode 100644 {{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/mongo/cosmos-mongo-account.bicep delete mode 100644 {{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/mongo/cosmos-mongo-db.bicep delete mode 100644 {{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/sql/cosmos-sql-account.bicep delete mode 100644 {{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/sql/cosmos-sql-db.bicep delete mode 100644 {{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/sql/cosmos-sql-role-assign.bicep delete mode 100644 {{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/sql/cosmos-sql-role-def.bicep delete mode 100644 {{cookiecutter.__src_folder_name}}/infra/core/database/postgresql/aca-service.bicep delete mode 100644 {{cookiecutter.__src_folder_name}}/infra/core/database/postgresql/flexibleserver.bicep diff --git a/{{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/cosmos-account.bicep b/{{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/cosmos-account.bicep deleted file mode 100644 index e3be52c..0000000 --- a/{{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/cosmos-account.bicep +++ /dev/null @@ -1,51 +0,0 @@ -metadata description = 'Creates an Azure Cosmos DB account.' -param name string -param location string = resourceGroup().location -param tags object = {} - -@secure() -param connectionStringKey string = 'AZURE-COSMOS-CONNECTION-STRING' -param keyVaultName string - -@allowed([ 'GlobalDocumentDB', 'MongoDB', 'Parse' ]) -param kind string - -resource cosmos 'Microsoft.DocumentDB/databaseAccounts@2022-08-15' = { - name: name - kind: kind - location: location - tags: tags - properties: { - consistencyPolicy: { defaultConsistencyLevel: 'Session' } - locations: [ - { - locationName: location - failoverPriority: 0 - isZoneRedundant: false - } - ] - databaseAccountOfferType: 'Standard' - enableAutomaticFailover: false - enableMultipleWriteLocations: false - apiProperties: (kind == 'MongoDB') ? { serverVersion: '4.2' } : {} - capabilities: [ { name: 'EnableServerless' } ] - disableKeyBasedMetadataWriteAccess: true // See PsRule AZR-000095 - } -} - -resource cosmosConnectionString 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = { - parent: keyVault - name: connectionStringKey - properties: { - value: cosmos.listConnectionStrings().connectionStrings[0].connectionString - } -} - -resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = { - name: keyVaultName -} - -output connectionStringKey string = connectionStringKey -output endpoint string = cosmos.properties.documentEndpoint -output id string = cosmos.id -output name string = cosmos.name diff --git a/{{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/cosmos-pg-adapter.bicep b/{{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/cosmos-pg-adapter.bicep deleted file mode 100644 index 297e3d1..0000000 --- a/{{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/cosmos-pg-adapter.bicep +++ /dev/null @@ -1,62 +0,0 @@ -param name string -param location string = resourceGroup().location -param tags object = {} - -param administratorLogin string -@secure() -param administratorLoginPassword string - -param coordinatorServerEdition string -param coordinatorStorageQuotainMb int -param coordinatorVCores int -param databaseName string -param nodeCount int -param nodeVCores int -param allowAzureIPsFirewall bool = false -param allowAllIPsFirewall bool = false -param allowedSingleIPs array = [] -param postgresqlVersion string - -resource postgresCluster 'Microsoft.DBforPostgreSQL/serverGroupsv2@2023-03-02-preview' = { - name: name - location: location - tags: tags - properties: { - administratorLogin: administratorLogin - administratorLoginPassword: administratorLoginPassword - coordinatorServerEdition: coordinatorServerEdition - coordinatorStorageQuotaInMb: coordinatorStorageQuotainMb - coordinatorVCores: coordinatorVCores - postgresqlVersion: postgresqlVersion - nodeCount: nodeCount - nodeVCores: nodeVCores - databaseName: databaseName - } - - resource firewall_all 'firewallRules' = if (allowAllIPsFirewall) { - name: 'allow-all-IPs' - properties: { - startIpAddress: '0.0.0.0' - endIpAddress: '255.255.255.255' - } - } - - resource firewall_azure 'firewallRules' = if (allowAzureIPsFirewall) { - name: 'allow-all-azure-internal-IPs' - properties: { - startIpAddress: '0.0.0.0' - endIpAddress: '0.0.0.0' - } - } - - resource firewall_single 'firewallRules' = [for ip in allowedSingleIPs: { - name: 'allow-single-${replace(ip, '.', '')}' - properties: { - startIpAddress: ip - endIpAddress: ip - } - }] - -} - -output domainName string = postgresCluster.properties.serverNames[0].fullyQualifiedDomainName diff --git a/{{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/mongo/cosmos-mongo-account.bicep b/{{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/mongo/cosmos-mongo-account.bicep deleted file mode 100644 index 4aafbf3..0000000 --- a/{{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/mongo/cosmos-mongo-account.bicep +++ /dev/null @@ -1,23 +0,0 @@ -metadata description = 'Creates an Azure Cosmos DB for MongoDB account.' -param name string -param location string = resourceGroup().location -param tags object = {} - -param keyVaultName string -param connectionStringKey string = 'AZURE-COSMOS-CONNECTION-STRING' - -module cosmos '../../cosmos/cosmos-account.bicep' = { - name: 'cosmos-account' - params: { - name: name - location: location - connectionStringKey: connectionStringKey - keyVaultName: keyVaultName - kind: 'MongoDB' - tags: tags - } -} - -output connectionStringKey string = cosmos.outputs.connectionStringKey -output endpoint string = cosmos.outputs.endpoint -output id string = cosmos.outputs.id diff --git a/{{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/mongo/cosmos-mongo-db.bicep b/{{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/mongo/cosmos-mongo-db.bicep deleted file mode 100644 index 2a67057..0000000 --- a/{{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/mongo/cosmos-mongo-db.bicep +++ /dev/null @@ -1,47 +0,0 @@ -metadata description = 'Creates an Azure Cosmos DB for MongoDB account with a database.' -param accountName string -param databaseName string -param location string = resourceGroup().location -param tags object = {} - -param collections array = [] -param connectionStringKey string = 'AZURE-COSMOS-CONNECTION-STRING' -param keyVaultName string - -module cosmos 'cosmos-mongo-account.bicep' = { - name: 'cosmos-mongo-account' - params: { - name: accountName - location: location - keyVaultName: keyVaultName - tags: tags - connectionStringKey: connectionStringKey - } -} - -resource database 'Microsoft.DocumentDB/databaseAccounts/mongodbDatabases@2022-08-15' = { - name: '${accountName}/${databaseName}' - tags: tags - properties: { - resource: { id: databaseName } - } - - resource list 'collections' = [for collection in collections: { - name: collection.name - properties: { - resource: { - id: collection.id - shardKey: { _id: collection.shardKey } - indexes: [ { key: { keys: [ collection.indexKey ] } } ] - } - } - }] - - dependsOn: [ - cosmos - ] -} - -output connectionStringKey string = connectionStringKey -output databaseName string = databaseName -output endpoint string = cosmos.outputs.endpoint diff --git a/{{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/sql/cosmos-sql-account.bicep b/{{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/sql/cosmos-sql-account.bicep deleted file mode 100644 index 8431135..0000000 --- a/{{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/sql/cosmos-sql-account.bicep +++ /dev/null @@ -1,22 +0,0 @@ -metadata description = 'Creates an Azure Cosmos DB for NoSQL account.' -param name string -param location string = resourceGroup().location -param tags object = {} - -param keyVaultName string - -module cosmos '../../cosmos/cosmos-account.bicep' = { - name: 'cosmos-account' - params: { - name: name - location: location - tags: tags - keyVaultName: keyVaultName - kind: 'GlobalDocumentDB' - } -} - -output connectionStringKey string = cosmos.outputs.connectionStringKey -output endpoint string = cosmos.outputs.endpoint -output id string = cosmos.outputs.id -output name string = cosmos.outputs.name diff --git a/{{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/sql/cosmos-sql-db.bicep b/{{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/sql/cosmos-sql-db.bicep deleted file mode 100644 index 265880d..0000000 --- a/{{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/sql/cosmos-sql-db.bicep +++ /dev/null @@ -1,74 +0,0 @@ -metadata description = 'Creates an Azure Cosmos DB for NoSQL account with a database.' -param accountName string -param databaseName string -param location string = resourceGroup().location -param tags object = {} - -param containers array = [] -param keyVaultName string -param principalIds array = [] - -module cosmos 'cosmos-sql-account.bicep' = { - name: 'cosmos-sql-account' - params: { - name: accountName - location: location - tags: tags - keyVaultName: keyVaultName - } -} - -resource database 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases@2022-05-15' = { - name: '${accountName}/${databaseName}' - properties: { - resource: { id: databaseName } - } - - resource list 'containers' = [for container in containers: { - name: container.name - properties: { - resource: { - id: container.id - partitionKey: { paths: [ container.partitionKey ] } - } - options: {} - } - }] - - dependsOn: [ - cosmos - ] -} - -module roleDefinition 'cosmos-sql-role-def.bicep' = { - name: 'cosmos-sql-role-definition' - params: { - accountName: accountName - } - dependsOn: [ - cosmos - database - ] -} - -// We need batchSize(1) here because sql role assignments have to be done sequentially -@batchSize(1) -module userRole 'cosmos-sql-role-assign.bicep' = [for principalId in principalIds: if (!empty(principalId)) { - name: 'cosmos-sql-user-role-${uniqueString(principalId)}' - params: { - accountName: accountName - roleDefinitionId: roleDefinition.outputs.id - principalId: principalId - } - dependsOn: [ - cosmos - database - ] -}] - -output accountId string = cosmos.outputs.id -output accountName string = cosmos.outputs.name -output connectionStringKey string = cosmos.outputs.connectionStringKey -output databaseName string = databaseName -output endpoint string = cosmos.outputs.endpoint -output roleDefinitionId string = roleDefinition.outputs.id diff --git a/{{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/sql/cosmos-sql-role-assign.bicep b/{{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/sql/cosmos-sql-role-assign.bicep deleted file mode 100644 index 3949efe..0000000 --- a/{{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/sql/cosmos-sql-role-assign.bicep +++ /dev/null @@ -1,19 +0,0 @@ -metadata description = 'Creates a SQL role assignment under an Azure Cosmos DB account.' -param accountName string - -param roleDefinitionId string -param principalId string = '' - -resource role 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2022-05-15' = { - parent: cosmos - name: guid(roleDefinitionId, principalId, cosmos.id) - properties: { - principalId: principalId - roleDefinitionId: roleDefinitionId - scope: cosmos.id - } -} - -resource cosmos 'Microsoft.DocumentDB/databaseAccounts@2022-08-15' existing = { - name: accountName -} diff --git a/{{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/sql/cosmos-sql-role-def.bicep b/{{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/sql/cosmos-sql-role-def.bicep deleted file mode 100644 index 778d6dc..0000000 --- a/{{cookiecutter.__src_folder_name}}/infra/core/database/cosmos/sql/cosmos-sql-role-def.bicep +++ /dev/null @@ -1,30 +0,0 @@ -metadata description = 'Creates a SQL role definition under an Azure Cosmos DB account.' -param accountName string - -resource roleDefinition 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2022-08-15' = { - parent: cosmos - name: guid(cosmos.id, accountName, 'sql-role') - properties: { - assignableScopes: [ - cosmos.id - ] - permissions: [ - { - dataActions: [ - 'Microsoft.DocumentDB/databaseAccounts/readMetadata' - 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*' - 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*' - ] - notDataActions: [] - } - ] - roleName: 'Reader Writer' - type: 'CustomRole' - } -} - -resource cosmos 'Microsoft.DocumentDB/databaseAccounts@2022-08-15' existing = { - name: accountName -} - -output id string = roleDefinition.id diff --git a/{{cookiecutter.__src_folder_name}}/infra/core/database/postgresql/aca-service.bicep b/{{cookiecutter.__src_folder_name}}/infra/core/database/postgresql/aca-service.bicep deleted file mode 100644 index 3ed4b9a..0000000 --- a/{{cookiecutter.__src_folder_name}}/infra/core/database/postgresql/aca-service.bicep +++ /dev/null @@ -1,49 +0,0 @@ -param name string -param location string = resourceGroup().location -param tags object = {} - -param containerAppsEnvironmentId string - -resource postgres 'Microsoft.App/containerApps@2023-04-01-preview' = { - name: name - location: location - tags: tags - properties: { - environmentId: containerAppsEnvironmentId - configuration: { - service: { - type: 'postgres' - } - } - } -} - -/* -resource pgsqlCli 'Microsoft.App/containerApps@2023-04-01-preview' = { - name: '${name}-cli' - location: location - properties: { - environmentId: containerAppsEnvironmentId - template: { - serviceBinds: [ - { - serviceId: postgres.id - } - ] - containers: [ - { - name: 'psql' - image: 'mcr.microsoft.com/k8se/services/postgres:14' - command: [ '/bin/sleep', 'infinity' ] - } - ] - scale: { - minReplicas: 1 - maxReplicas: 1 - } - } - } -} -*/ - -output id string = postgres.id diff --git a/{{cookiecutter.__src_folder_name}}/infra/core/database/postgresql/flexibleserver.bicep b/{{cookiecutter.__src_folder_name}}/infra/core/database/postgresql/flexibleserver.bicep deleted file mode 100644 index 3647524..0000000 --- a/{{cookiecutter.__src_folder_name}}/infra/core/database/postgresql/flexibleserver.bicep +++ /dev/null @@ -1,64 +0,0 @@ -param name string -param location string = resourceGroup().location -param tags object = {} - -param sku object -param storage object -param administratorLogin string -@secure() -param administratorLoginPassword string -param databaseNames array = [] -param allowAzureIPsFirewall bool = false -param allowAllIPsFirewall bool = false -param allowedSingleIPs array = [] - -// PostgreSQL version -param version string - -// Latest official version 2022-12-01 does not have Bicep types available -resource postgresServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = { - location: location - tags: tags - name: name - sku: sku - properties: { - version: version - administratorLogin: administratorLogin - administratorLoginPassword: administratorLoginPassword - storage: storage - highAvailability: { - mode: 'Disabled' - } - } - - resource database 'databases' = [for name in databaseNames: { - name: name - }] - - resource firewall_all 'firewallRules' = if (allowAllIPsFirewall) { - name: 'allow-all-IPs' - properties: { - startIpAddress: '0.0.0.0' - endIpAddress: '255.255.255.255' - } - } - - resource firewall_azure 'firewallRules' = if (allowAzureIPsFirewall) { - name: 'allow-all-azure-internal-IPs' - properties: { - startIpAddress: '0.0.0.0' - endIpAddress: '0.0.0.0' - } - } - - resource firewall_single 'firewallRules' = [for ip in allowedSingleIPs: { - name: 'allow-single-${replace(ip, '.', '')}' - properties: { - startIpAddress: ip - endIpAddress: ip - } - }] - -} - -output domainName string = postgresServer.properties.fullyQualifiedDomainName diff --git a/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep b/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep index 22db3e6..41d2bdc 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep @@ -2,16 +2,35 @@ param name string param location string = resourceGroup().location param tags object = {} param prefix string -param keyVaultName string param dbserverDatabaseName string -module dbserver '../core/database/cosmos/mongo/cosmos-mongo-db.bicep' = { +module databaseAccount 'br/public:avm/res/document-db/database-account:0.5.6' = { name: name params: { - accountName: '${take(prefix, 36)}-mongodb' // Max 44 characters + name: '${take(prefix, 36)}-mongodb' // Max 44 characters location: location - databaseName: dbserverDatabaseName tags: tags - keyVaultName: keyVaultName + + managedIdentities: { + systemAssigned: true + } + defaultConsistencyLevel: 'Session' + locations: [ + { + locationName: location + failoverPriority: 0 + isZoneRedundant: false + } + ] + disableKeyBasedMetadataWriteAccess: true // See PsRule AZR-000095 + + mongodbDatabases: [ + { + name: dbserverDatabaseName + } + ] } } + +output id string = databaseAccount.outputs.resourceId +output endpoint string = databaseAccount.outputs.endpoint diff --git a/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-postgres.bicep b/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-postgres.bicep index c8d6475..67b2044 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-postgres.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-postgres.bicep @@ -8,26 +8,42 @@ param dbserverDatabaseName string var dbserverUser = 'citus' @secure() param dbserverPassword string +param allowAllIpsFirewall bool = false +param allowAllAzureIpsFirewall bool = true -module dbserver '../core/database/cosmos/cosmos-pg-adapter.bicep' = { - name: name - params: { - name: '${prefix}-postgresql' - location: location - tags: tags - postgresqlVersion: '{{pg_version}}' +resource postgresCluster 'Microsoft.DBforPostgreSQL/serverGroupsv2@2023-03-02-preview' = { + name: '${prefix}-postgresql' + location: location + tags: tags + properties: { administratorLogin: dbserverUser administratorLoginPassword: dbserverPassword - databaseName: dbserverDatabaseName - allowAzureIPsFirewall: true coordinatorServerEdition: 'BurstableMemoryOptimized' coordinatorStorageQuotainMb: 131072 coordinatorVCores: 1 + postgresqlVersion: '{{pg_version}}' nodeCount: 0 nodeVCores: 4 + databaseName: dbserverDatabaseName + } + + resource firewall_all 'firewallRules' = if (allowAllIpsFirewall) { + name: 'allow-all-IPs' + properties: { + startIpAddress: '0.0.0.0' + endIpAddress: '255.255.255.255' + } + } + + resource firewall_azure 'firewallRules' = if (allowAllAzureIpsFirewall) { + name: 'allow-all-azure-internal-IPs' + properties: { + startIpAddress: '0.0.0.0' + endIpAddress: '0.0.0.0' + } } } output dbserverDatabaseName string = dbserverDatabaseName output dbserverUser string = dbserverUser -output dbserverDomainName string = dbserver.outputs.domainName +output dbserverDomainName string = postgresCluster.properties.serverNames[0].fullyQualifiedDomainName diff --git a/{{cookiecutter.__src_folder_name}}/infra/db/postgres-addon.bicep b/{{cookiecutter.__src_folder_name}}/infra/db/postgres-addon.bicep index b03846d..5f694c0 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/db/postgres-addon.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/db/postgres-addon.bicep @@ -8,14 +8,18 @@ resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2022-03-01' name: containerAppsEnvironmentName } -module dbserver '../core/database/postgresql/aca-service.bicep' = { - name: name - params: { - name: '${take(prefix, 29)}-pg' // max 32 characters - location: location - tags: tags - containerAppsEnvironmentId: containerAppsEnvironment.id +resource postgres 'Microsoft.App/containerApps@2023-04-01-preview' = { + name: '${take(prefix, 29)}-pg' // max 32 characters + location: location + tags: tags + properties: { + environmentId: containerAppsEnvironment.id + configuration: { + service: { + type: 'postgres' + } + } } } -output id string = dbserver.outputs.id +output id string = postgres.id diff --git a/{{cookiecutter.__src_folder_name}}/infra/db/postgres-flexible.bicep b/{{cookiecutter.__src_folder_name}}/infra/db/postgres-flexible.bicep index 6492b9e..d01b7be 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/db/postgres-flexible.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/db/postgres-flexible.bicep @@ -11,27 +11,30 @@ var dbserverUser = 'admin${uniqueString(resourceGroup().id)}' param dbserverPassword string = '' param dbserverDatabaseName string = '' -module dbserver '../core/database/postgresql/flexibleserver.bicep' = { +module flexibleServer 'br/public:avm/res/db-for-postgre-sql/flexible-server:0.1.6' = { name: name params: { name: '${prefix}-postgresql' location: location tags: tags - sku: { - name: 'Standard_B1ms' - tier: 'Burstable' - } - storage: { - storageSizeGB: 32 - } + skuName: 'Standard_B2s' + tier: 'Burstable' version: '{{pg_version}}' administratorLogin: dbserverUser administratorLoginPassword: dbserverPassword - databaseNames: [dbserverDatabaseName] - allowAzureIPsFirewall: true + databases: [{ + name: dbserverDatabaseName + }] + firewallRules: [ + { + endIpAddress: '0.0.0.0' + name: 'AllowAllWindowsAzureIps' + startIpAddress: '0.0.0.0' + } + ] } } output dbserverDatabaseName string = dbserverDatabaseName output dbserverUser string = dbserverUser -output dbserverDomainName string = dbserver.outputs.domainName +output dbserverDomainName string = flexibleServer.outputs.fqdn diff --git a/{{cookiecutter.__src_folder_name}}/infra/main.bicep b/{{cookiecutter.__src_folder_name}}/infra/main.bicep index 011ec69..5c4e630 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/main.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/main.bicep @@ -271,7 +271,7 @@ module web 'web.bicep' = { tags: tags applicationInsightsName: monitoring.outputs.applicationInsightsName keyVaultName: keyVault.outputs.name - + {% if cookiecutter.project_host == "appservice" %} appCommandLine: 'entrypoint.sh' pythonVersion: '{{cookiecutter.python_version}}' @@ -297,7 +297,7 @@ module web 'web.bicep' = { dbserverDatabaseName: cosmosPostgres.outputs.dbserverDatabaseName {% endif %} - {% if cookiecutter.project_host == "aca" %} + {% if cookiecutter.project_host == "aca" and cookiecutter.db_resource in ("postgres-flexible", "cosmos-postgres") %} dbserverPassword: dbserverPassword {% endif %} From 91a11e646dee659c706fee5cc9080d783cf74caf Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Mon, 15 Jul 2024 19:55:24 +1000 Subject: [PATCH 06/19] hardcode a parameter to fix the linter --- .../infra/db/cosmos-mongodb.bicep | 3 ++- {{cookiecutter.__src_folder_name}}/infra/main.bicep | 4 +++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep b/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep index 41d2bdc..eb8b3ef 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep @@ -3,6 +3,7 @@ param location string = resourceGroup().location param tags object = {} param prefix string param dbserverDatabaseName string +param sqlRoleAssignmentPrincipalId string module databaseAccount 'br/public:avm/res/document-db/database-account:0.5.6' = { name: name @@ -23,7 +24,7 @@ module databaseAccount 'br/public:avm/res/document-db/database-account:0.5.6' = } ] disableKeyBasedMetadataWriteAccess: true // See PsRule AZR-000095 - + sqlRoleAssignmentsPrincipalIds: [sqlRoleAssignmentPrincipalId] mongodbDatabases: [ { name: dbserverDatabaseName diff --git a/{{cookiecutter.__src_folder_name}}/infra/main.bicep b/{{cookiecutter.__src_folder_name}}/infra/main.bicep index 5c4e630..fdfab8a 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/main.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/main.bicep @@ -13,6 +13,8 @@ param location string @secure() @description('DBServer administrator password') param dbserverPassword string +{% else %} +var dbserverPassword = '' // Only used by the linter {% endif %} {% if cookiecutter.project_backend in ("django", "flask") %} @@ -183,8 +185,8 @@ module cosmosMongoDb 'db/cosmos-mongodb.bicep' = if(DATABASE_RESOURCE == 'cosmos location: location tags: tags prefix: prefix - keyVaultName: keyVault.outputs.name dbserverDatabaseName: 'relecloud' + sqlRoleAssignmentPrincipalId: web.outputs.SERVICE_WEB_IDENTITY_PRINCIPAL_ID } } From bf15baca1a3eeaff3f70c8129fc5f5269b10a67a Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Mon, 15 Jul 2024 20:00:02 +1000 Subject: [PATCH 07/19] The audit workflow at this level makes no sense --- .github/workflows/audit.yml | 33 --------------------------------- 1 file changed, 33 deletions(-) delete mode 100644 .github/workflows/audit.yml diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml deleted file mode 100644 index 571239d..0000000 --- a/.github/workflows/audit.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: Validate AZD template -on: - push: - branches: [ main ] - paths: - - "{{cookiecutter.__src_folder_name}}/infra/**" - pull_request: - branches: [ main ] - paths: - - "{{cookiecutter.__src_folder_name}}/infra/**" - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - permissions: - security-events: write - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Run Microsoft Security DevOps Analysis - uses: microsoft/security-devops-action@preview - id: msdo - continue-on-error: true - with: - tools: templateanalyzer - - - name: Upload alerts to Security tab - uses: github/codeql-action/upload-sarif@v3 - if: github.repository == 'Azure-Samples/Azure-Python-Standardization-Template-Generator' - with: - sarif_file: ${{ steps.msdo.outputs.sarifFile }} From 8f4b6e4d7c1c743ad12931c906cc7438ed559350 Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Wed, 17 Jul 2024 09:18:17 +1000 Subject: [PATCH 08/19] Use keys for cosmos mongo --- .../infra/db/cosmos-mongodb.bicep | 17 +++++++++++++++++ .../infra/main.bicep | 1 + 2 files changed, 18 insertions(+) diff --git a/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep b/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep index eb8b3ef..09445ce 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep @@ -4,6 +4,7 @@ param tags object = {} param prefix string param dbserverDatabaseName string param sqlRoleAssignmentPrincipalId string +param keyvaultName string module databaseAccount 'br/public:avm/res/document-db/database-account:0.5.6' = { name: name @@ -33,5 +34,21 @@ module databaseAccount 'br/public:avm/res/document-db/database-account:0.5.6' = } } +resource cosmos 'Microsoft.DocumentDB/databaseAccounts@2022-08-15' existing = { + name: name +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = { + name: keyvaultName +} + +resource cosmosConnectionString 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = { + parent: keyVault + name: 'AZURE-COSMOS-CONNECTION-STRING' + properties: { + value: cosmos.listConnectionStrings().connectionStrings[0].connectionString + } +} + output id string = databaseAccount.outputs.resourceId output endpoint string = databaseAccount.outputs.endpoint diff --git a/{{cookiecutter.__src_folder_name}}/infra/main.bicep b/{{cookiecutter.__src_folder_name}}/infra/main.bicep index fdfab8a..ab68025 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/main.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/main.bicep @@ -187,6 +187,7 @@ module cosmosMongoDb 'db/cosmos-mongodb.bicep' = if(DATABASE_RESOURCE == 'cosmos prefix: prefix dbserverDatabaseName: 'relecloud' sqlRoleAssignmentPrincipalId: web.outputs.SERVICE_WEB_IDENTITY_PRINCIPAL_ID + keyvaultName: keyVault.outputs.name } } From 42f00574cf3366d36f0b026bcccc7ebffa64fd2a Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Wed, 17 Jul 2024 15:08:35 +1000 Subject: [PATCH 09/19] Add subnet for databases --- .../infra/db/cosmos-mongodb.bicep | 12 ++++++++++++ .../infra/main.bicep | 18 ++++++++++++------ 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep b/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep index 09445ce..b167106 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep @@ -5,6 +5,8 @@ param prefix string param dbserverDatabaseName string param sqlRoleAssignmentPrincipalId string param keyvaultName string +param privateDNSZoneResourceId string +param subnetResourceId string module databaseAccount 'br/public:avm/res/document-db/database-account:0.5.6' = { name: name @@ -31,6 +33,16 @@ module databaseAccount 'br/public:avm/res/document-db/database-account:0.5.6' = name: dbserverDatabaseName } ] + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + privateDNSZoneResourceId + ] + service: 'MongoDB' + subnetResourceId: subnetResourceId + tags: tags + } + ] } } diff --git a/{{cookiecutter.__src_folder_name}}/infra/main.bicep b/{{cookiecutter.__src_folder_name}}/infra/main.bicep index ab68025..d1c4532 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/main.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/main.bicep @@ -14,7 +14,7 @@ param location string @description('DBServer administrator password') param dbserverPassword string {% else %} -var dbserverPassword = '' // Only used by the linter +var dbserverPassword = guid(name, resourceGroup.name) // Only used by the linter {% endif %} {% if cookiecutter.project_backend in ("django", "flask") %} @@ -34,6 +34,9 @@ var resourceToken = toLower(uniqueString(subscription().id, name, location)) var prefix = '${name}-${resourceToken}' var tags = { 'azd-env-name': name } +var DATABASE_RESOURCE = '{{cookiecutter.db_resource}}' +var PROJECT_HOST = '{{cookiecutter.project_host}}' + var secrets = [ {% if cookiecutter.db_resource in ("postgres-flexible", "cosmos-postgres") %} { @@ -92,6 +95,11 @@ module virtualNetwork 'br/public:avm/res/network/virtual-network:0.1.8' = { } ] } + { + addressPrefix: '10.0.4.0/23' + name: 'db' + tags: tags + } ] } } @@ -175,8 +183,6 @@ module roleAssignment 'core/security/role.bicep' = { } } -var DATABASE_RESOURCE = '{{cookiecutter.db_resource}}' - module cosmosMongoDb 'db/cosmos-mongodb.bicep' = if(DATABASE_RESOURCE == 'cosmos-mongodb') { name: 'cosmosMongoDb' scope: resourceGroup @@ -188,6 +194,8 @@ module cosmosMongoDb 'db/cosmos-mongodb.bicep' = if(DATABASE_RESOURCE == 'cosmos dbserverDatabaseName: 'relecloud' sqlRoleAssignmentPrincipalId: web.outputs.SERVICE_WEB_IDENTITY_PRINCIPAL_ID keyvaultName: keyVault.outputs.name + privateDNSZoneResourceId: privateDnsZone.outputs.resourceId + subnetResourceId: virtualNetwork.outputs.subnetResourceIds[2] } } @@ -242,9 +250,8 @@ module monitoring 'core/monitor/monitoring.bicep' = { } } -{% if cookiecutter.project_host == "aca" %} // Container apps host (including container registry) -module containerApps 'core/host/container-apps.bicep' = { +module containerApps 'core/host/container-apps.bicep' = if (PROJECT_HOST == 'aca') { name: 'container-apps' scope: resourceGroup params: { @@ -256,7 +263,6 @@ module containerApps 'core/host/container-apps.bicep' = { virtualNetworkSubnetId: virtualNetwork.outputs.subnetResourceIds[1] } } -{% endif %} // Web frontend module web 'web.bicep' = { From 01d78dc89943b6adcc0459073bc32949bffdbd82 Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Wed, 17 Jul 2024 15:31:59 +1000 Subject: [PATCH 10/19] Fix dependency cycles --- .../infra/db/cosmos-mongodb.bicep | 7 +++++-- {{cookiecutter.__src_folder_name}}/infra/main.bicep | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep b/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep index b167106..0851c07 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep @@ -8,10 +8,12 @@ param keyvaultName string param privateDNSZoneResourceId string param subnetResourceId string +var mongoDbName = '${take(prefix, 36)}-mongodb' + module databaseAccount 'br/public:avm/res/document-db/database-account:0.5.6' = { name: name params: { - name: '${take(prefix, 36)}-mongodb' // Max 44 characters + name: mongoDbName // Max 44 characters location: location tags: tags @@ -47,7 +49,7 @@ module databaseAccount 'br/public:avm/res/document-db/database-account:0.5.6' = } resource cosmos 'Microsoft.DocumentDB/databaseAccounts@2022-08-15' existing = { - name: name + name: mongoDbName } resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = { @@ -60,6 +62,7 @@ resource cosmosConnectionString 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = properties: { value: cosmos.listConnectionStrings().connectionStrings[0].connectionString } + dependsOn: [databaseAccount] } output id string = databaseAccount.outputs.resourceId diff --git a/{{cookiecutter.__src_folder_name}}/infra/main.bicep b/{{cookiecutter.__src_folder_name}}/infra/main.bicep index d1c4532..8511481 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/main.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/main.bicep @@ -212,7 +212,7 @@ module cosmosPostgres 'db/cosmos-postgres.bicep' = if(DATABASE_RESOURCE == 'cosm } } -module postgresAddon 'db/postgres-addon.bicep' = if(DATABASE_RESOURCE == 'postgres-addon') { +module postgresAddon 'db/postgres-addon.bicep' = if(DATABASE_RESOURCE == 'postgres-addon' && PROJECT_HOST == 'aca') { name: 'postgresAddon' scope: resourceGroup params: { From a7f0cc74613ff67770222c3b9d17dba3f7bb5eac Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Wed, 17 Jul 2024 15:49:57 +1000 Subject: [PATCH 11/19] Filter out the container app resource as it confuses AZD --- .../infra/main.bicep | 28 +++++++++++-------- 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/{{cookiecutter.__src_folder_name}}/infra/main.bicep b/{{cookiecutter.__src_folder_name}}/infra/main.bicep index 8511481..92a63ec 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/main.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/main.bicep @@ -212,18 +212,6 @@ module cosmosPostgres 'db/cosmos-postgres.bicep' = if(DATABASE_RESOURCE == 'cosm } } -module postgresAddon 'db/postgres-addon.bicep' = if(DATABASE_RESOURCE == 'postgres-addon' && PROJECT_HOST == 'aca') { - name: 'postgresAddon' - scope: resourceGroup - params: { - name: 'dbserver' - location: location - tags: tags - prefix: prefix - containerAppsEnvironmentName: containerApps.outputs.environmentName - } -} - module postgresFlexible 'db/postgres-flexible.bicep' = if(DATABASE_RESOURCE == 'postgres-flexible') { name: 'postgresFlexible' scope: resourceGroup @@ -250,6 +238,21 @@ module monitoring 'core/monitor/monitoring.bicep' = { } } +{% if cookiecutter.project_host == "aca" %} +{% if cookiecutter.database_resource == "postgres-addon" %} +module postgresAddon 'db/postgres-addon.bicep' = if(DATABASE_RESOURCE == 'postgres-addon' && PROJECT_HOST == 'aca') { + name: 'postgresAddon' + scope: resourceGroup + params: { + name: 'dbserver' + location: location + tags: tags + prefix: prefix + containerAppsEnvironmentName: containerApps.outputs.environmentName + } +} +{% endif %} + // Container apps host (including container registry) module containerApps 'core/host/container-apps.bicep' = if (PROJECT_HOST == 'aca') { name: 'container-apps' @@ -263,6 +266,7 @@ module containerApps 'core/host/container-apps.bicep' = if (PROJECT_HOST == 'aca virtualNetworkSubnetId: virtualNetwork.outputs.subnetResourceIds[1] } } +{% endif %} // Web frontend module web 'web.bicep' = { From cd33bfeafbd3d9789e7332f2d0e69cd7124eb5b0 Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Wed, 17 Jul 2024 15:57:20 +1000 Subject: [PATCH 12/19] fix jinja rule --- {{cookiecutter.__src_folder_name}}/infra/main.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/{{cookiecutter.__src_folder_name}}/infra/main.bicep b/{{cookiecutter.__src_folder_name}}/infra/main.bicep index 92a63ec..eccd5c7 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/main.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/main.bicep @@ -238,8 +238,7 @@ module monitoring 'core/monitor/monitoring.bicep' = { } } -{% if cookiecutter.project_host == "aca" %} -{% if cookiecutter.database_resource == "postgres-addon" %} +{% if cookiecutter.project_host == "aca" and cookiecutter.db_resource == "postgres-addon" %} module postgresAddon 'db/postgres-addon.bicep' = if(DATABASE_RESOURCE == 'postgres-addon' && PROJECT_HOST == 'aca') { name: 'postgresAddon' scope: resourceGroup @@ -253,6 +252,7 @@ module postgresAddon 'db/postgres-addon.bicep' = if(DATABASE_RESOURCE == 'postgr } {% endif %} +{% if cookiecutter.project_host == "aca" %} // Container apps host (including container registry) module containerApps 'core/host/container-apps.bicep' = if (PROJECT_HOST == 'aca') { name: 'container-apps' From 9cb507a1cb00f561e5b773192927d89ae9bc7ef4 Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Wed, 17 Jul 2024 16:03:55 +1000 Subject: [PATCH 13/19] Network controls in cosmos --- .../infra/db/cosmos-mongodb.bicep | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep b/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep index 0851c07..654aa7e 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep @@ -35,6 +35,13 @@ module databaseAccount 'br/public:avm/res/document-db/database-account:0.5.6' = name: dbserverDatabaseName } ] + networkRestrictions: { + publicNetworkAccess: 'Disabled' + ipRules: [] + virtualNetworkRules: [ + {subnetResourceId: subnetResourceId} + ] + } privateEndpoints: [ { privateDnsZoneResourceIds: [ From 032fe3d01cd7fb0a7d6cd73dcea046c4e594b59b Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Wed, 17 Jul 2024 16:15:48 +1000 Subject: [PATCH 14/19] service endpoint for cosmos --- {{cookiecutter.__src_folder_name}}/infra/main.bicep | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/{{cookiecutter.__src_folder_name}}/infra/main.bicep b/{{cookiecutter.__src_folder_name}}/infra/main.bicep index eccd5c7..81ecedb 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/main.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/main.bicep @@ -99,6 +99,13 @@ module virtualNetwork 'br/public:avm/res/network/virtual-network:0.1.8' = { addressPrefix: '10.0.4.0/23' name: 'db' tags: tags + serviceEndpoints: [ + {% if cookiecutter.db_resource == 'cosmos-mongodb' %} + { + service: 'Microsoft.AzureCosmosDB' + } + {% endif %} + ] } ] } From 5db25271a9dd5b973c99debd9c10aa41b82839bc Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Wed, 17 Jul 2024 16:38:27 +1000 Subject: [PATCH 15/19] Update rules --- {{cookiecutter.__src_folder_name}}/ps-rule.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/{{cookiecutter.__src_folder_name}}/ps-rule.yaml b/{{cookiecutter.__src_folder_name}}/ps-rule.yaml index 80a3862..4cd70e8 100644 --- a/{{cookiecutter.__src_folder_name}}/ps-rule.yaml +++ b/{{cookiecutter.__src_folder_name}}/ps-rule.yaml @@ -15,3 +15,8 @@ rule: # Don't require Postgres AAD/MI for now - Azure.PostgreSQL.AAD - Azure.PostgreSQL.AADOnly + # These are false positives for mongodb on cosmos + - Azure.Cosmos.DisableMetadataWrite + - Azure.Cosmos.MinTLS + # 'citus' is the builtin username for postgres for cosmos + - Azure.Deployment.AdminUsername From 99f197db643b8e17e45ac17d3db05fbb0ec9e8b6 Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Wed, 17 Jul 2024 16:47:24 +1000 Subject: [PATCH 16/19] Fixup the network access rule and service endpoint --- .../infra/db/cosmos-mongodb.bicep | 3 ++- .../infra/main.bicep | 14 +++++++------- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep b/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep index 654aa7e..f0c0cad 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep @@ -7,6 +7,7 @@ param sqlRoleAssignmentPrincipalId string param keyvaultName string param privateDNSZoneResourceId string param subnetResourceId string +param applicationSubnetResourceId string var mongoDbName = '${take(prefix, 36)}-mongodb' @@ -39,7 +40,7 @@ module databaseAccount 'br/public:avm/res/document-db/database-account:0.5.6' = publicNetworkAccess: 'Disabled' ipRules: [] virtualNetworkRules: [ - {subnetResourceId: subnetResourceId} + {subnetResourceId: applicationSubnetResourceId} ] } privateEndpoints: [ diff --git a/{{cookiecutter.__src_folder_name}}/infra/main.bicep b/{{cookiecutter.__src_folder_name}}/infra/main.bicep index 81ecedb..852ec70 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/main.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/main.bicep @@ -93,13 +93,6 @@ module virtualNetwork 'br/public:avm/res/network/virtual-network:0.1.8' = { { service: 'Microsoft.KeyVault' } - ] - } - { - addressPrefix: '10.0.4.0/23' - name: 'db' - tags: tags - serviceEndpoints: [ {% if cookiecutter.db_resource == 'cosmos-mongodb' %} { service: 'Microsoft.AzureCosmosDB' @@ -107,6 +100,12 @@ module virtualNetwork 'br/public:avm/res/network/virtual-network:0.1.8' = { {% endif %} ] } + { + addressPrefix: '10.0.4.0/23' + name: 'db' + tags: tags + serviceEndpoints: [] + } ] } } @@ -203,6 +202,7 @@ module cosmosMongoDb 'db/cosmos-mongodb.bicep' = if(DATABASE_RESOURCE == 'cosmos keyvaultName: keyVault.outputs.name privateDNSZoneResourceId: privateDnsZone.outputs.resourceId subnetResourceId: virtualNetwork.outputs.subnetResourceIds[2] + applicationSubnetResourceId: virtualNetwork.outputs.subnetResourceIds[1] } } From fa0df6b2bf738144bddcd894d3c6c3ead0f44bf5 Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Mon, 22 Jul 2024 12:26:57 +1000 Subject: [PATCH 17/19] Correct private DNS zones for cosmos and keyvault --- .../infra/main.bicep | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/{{cookiecutter.__src_folder_name}}/infra/main.bicep b/{{cookiecutter.__src_folder_name}}/infra/main.bicep index 852ec70..ca11de7 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/main.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/main.bicep @@ -110,11 +110,20 @@ module virtualNetwork 'br/public:avm/res/network/virtual-network:0.1.8' = { } } -module privateDnsZone 'br/public:avm/res/network/private-dns-zone:0.3.1' = { - name: 'privateDnsZoneDeployment' +module cosmosMongoPrivateDnsZone 'br/public:avm/res/network/private-dns-zone:0.3.1' = { + name: 'cosmosMongoPrivateDnsZone' scope: resourceGroup params: { - name: 'relecloud.net' + name: 'privatelink.mongo.cosmos.azure.com' + tags: tags + } +} + +module keyvaultPrivateDnsZone 'br/public:avm/res/network/private-dns-zone:0.3.1' = { + name: 'keyvaultPrivateDnsZone' + scope: resourceGroup + params: { + name: 'privatelink.vaultcore.azure.net' tags: tags } } @@ -152,7 +161,7 @@ module keyVault 'br/public:avm/res/key-vault/vault:0.6.2' = { { name: '${name}-keyvault-pe' subnetResourceId: virtualNetwork.outputs.subnetResourceIds[0] - privateDnsZoneResourceIds: [privateDnsZone.outputs.resourceId] + privateDnsZoneResourceIds: [keyvaultPrivateDnsZone.outputs.resourceId] } ] diagnosticSettings: [ @@ -200,7 +209,7 @@ module cosmosMongoDb 'db/cosmos-mongodb.bicep' = if(DATABASE_RESOURCE == 'cosmos dbserverDatabaseName: 'relecloud' sqlRoleAssignmentPrincipalId: web.outputs.SERVICE_WEB_IDENTITY_PRINCIPAL_ID keyvaultName: keyVault.outputs.name - privateDNSZoneResourceId: privateDnsZone.outputs.resourceId + privateDNSZoneResourceId: cosmosMongoPrivateDnsZone.outputs.resourceId subnetResourceId: virtualNetwork.outputs.subnetResourceIds[2] applicationSubnetResourceId: virtualNetwork.outputs.subnetResourceIds[1] } From 9a04f0f9f928f249a8409f2b7b547aa8be09fb6b Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Mon, 22 Jul 2024 12:36:27 +1000 Subject: [PATCH 18/19] Move the private DNS zone for cosmos into the cosmos file --- .../infra/db/cosmos-mongodb.bicep | 11 +++++++++-- {{cookiecutter.__src_folder_name}}/infra/main.bicep | 10 ---------- 2 files changed, 9 insertions(+), 12 deletions(-) diff --git a/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep b/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep index f0c0cad..c426d3f 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/db/cosmos-mongodb.bicep @@ -5,12 +5,19 @@ param prefix string param dbserverDatabaseName string param sqlRoleAssignmentPrincipalId string param keyvaultName string -param privateDNSZoneResourceId string param subnetResourceId string param applicationSubnetResourceId string var mongoDbName = '${take(prefix, 36)}-mongodb' +module cosmosMongoPrivateDnsZone 'br/public:avm/res/network/private-dns-zone:0.3.1' = { + name: 'cosmosMongoPrivateDnsZone' + params: { + name: 'privatelink.mongo.cosmos.azure.com' + tags: tags + } +} + module databaseAccount 'br/public:avm/res/document-db/database-account:0.5.6' = { name: name params: { @@ -46,7 +53,7 @@ module databaseAccount 'br/public:avm/res/document-db/database-account:0.5.6' = privateEndpoints: [ { privateDnsZoneResourceIds: [ - privateDNSZoneResourceId + cosmosMongoPrivateDnsZone.outputs.resourceId ] service: 'MongoDB' subnetResourceId: subnetResourceId diff --git a/{{cookiecutter.__src_folder_name}}/infra/main.bicep b/{{cookiecutter.__src_folder_name}}/infra/main.bicep index ca11de7..cc21d2f 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/main.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/main.bicep @@ -110,15 +110,6 @@ module virtualNetwork 'br/public:avm/res/network/virtual-network:0.1.8' = { } } -module cosmosMongoPrivateDnsZone 'br/public:avm/res/network/private-dns-zone:0.3.1' = { - name: 'cosmosMongoPrivateDnsZone' - scope: resourceGroup - params: { - name: 'privatelink.mongo.cosmos.azure.com' - tags: tags - } -} - module keyvaultPrivateDnsZone 'br/public:avm/res/network/private-dns-zone:0.3.1' = { name: 'keyvaultPrivateDnsZone' scope: resourceGroup @@ -209,7 +200,6 @@ module cosmosMongoDb 'db/cosmos-mongodb.bicep' = if(DATABASE_RESOURCE == 'cosmos dbserverDatabaseName: 'relecloud' sqlRoleAssignmentPrincipalId: web.outputs.SERVICE_WEB_IDENTITY_PRINCIPAL_ID keyvaultName: keyVault.outputs.name - privateDNSZoneResourceId: cosmosMongoPrivateDnsZone.outputs.resourceId subnetResourceId: virtualNetwork.outputs.subnetResourceIds[2] applicationSubnetResourceId: virtualNetwork.outputs.subnetResourceIds[1] } From 63b683e13223761937edfea403d463f60ac4ca97 Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Mon, 22 Jul 2024 12:49:13 +1000 Subject: [PATCH 19/19] Don't use SECRETKEY for Flask apps --- {{cookiecutter.__src_folder_name}}/infra/appservice.bicep | 2 +- {{cookiecutter.__src_folder_name}}/infra/main.bicep | 4 ++-- {{cookiecutter.__src_folder_name}}/infra/main.parameters.json | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/{{cookiecutter.__src_folder_name}}/infra/appservice.bicep b/{{cookiecutter.__src_folder_name}}/infra/appservice.bicep index e33c551..40e05c9 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/appservice.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/appservice.bicep @@ -54,7 +54,7 @@ module web 'core/host/appservice.bicep' = { POSTGRES_PASSWORD: '@Microsoft.KeyVault(VaultName=${keyVaultName};SecretName=DBSERVERPASSWORD)' POSTGRES_SSL: 'require' {% endif %} - {% if cookiecutter.project_backend in ("django", "flask") %} + {% if cookiecutter.project_backend in ("django") %} SECRET_KEY: '@Microsoft.KeyVault(VaultName=${keyVaultName};SecretName=SECRETKEY)' {% endif %} {% if 'mongodb' in cookiecutter.db_resource %} diff --git a/{{cookiecutter.__src_folder_name}}/infra/main.bicep b/{{cookiecutter.__src_folder_name}}/infra/main.bicep index cc21d2f..1825975 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/main.bicep +++ b/{{cookiecutter.__src_folder_name}}/infra/main.bicep @@ -17,7 +17,7 @@ param dbserverPassword string var dbserverPassword = guid(name, resourceGroup.name) // Only used by the linter {% endif %} -{% if cookiecutter.project_backend in ("django", "flask") %} +{% if cookiecutter.project_backend in ("django") %} @secure() @description('Secret Key') param secretKey string @@ -44,7 +44,7 @@ var secrets = [ value: dbserverPassword } {% endif %} - {% if cookiecutter.project_backend in ("django", "flask") %} + {% if cookiecutter.project_backend in ("django") %} { name: 'SECRETKEY' value: secretKey diff --git a/{{cookiecutter.__src_folder_name}}/infra/main.parameters.json b/{{cookiecutter.__src_folder_name}}/infra/main.parameters.json index e5a1b18..519c902 100644 --- a/{{cookiecutter.__src_folder_name}}/infra/main.parameters.json +++ b/{{cookiecutter.__src_folder_name}}/infra/main.parameters.json @@ -16,7 +16,7 @@ }{% if cookiecutter.db_resource in ("postgres-flexible", "cosmos-postgres") %}, "dbserverPassword": { "value": "$(secretOrRandomPassword ${AZURE_KEY_VAULT_NAME} DBSERVERPASSWORD)" - }{% endif %}{% if cookiecutter.project_backend in ("django", "flask") %}, + }{% endif %}{% if cookiecutter.project_backend in ("django") %}, "secretKey": { "value": "$(secretOrRandomPassword ${AZURE_KEY_VAULT_NAME} SECRETKEY)" }